The following table lists the Identity and Access Management (IAM) permissions required to run each Cloud Storage XML method on a given resource.
| Method | Resource | Subresource | Required IAM Permissions1 |
|---|---|---|---|
DELETE |
bucket |
storage.buckets.delete |
|
DELETE |
object |
storage.objects.delete |
|
DELETE |
object |
uploadId |
storage.multipartUploads.abort |
GET |
storage.buckets.list |
||
GET |
bucket |
storage.objects.list |
|
GET |
bucket |
acls3 |
storage.buckets.getstorage.buckets.getIamPolicy |
GET |
bucket |
Non-ACL metadata | storage.buckets.get |
GET |
bucket |
uploads |
storage.multipartUploads.list |
GET |
object |
storage.objects.get |
|
GET |
object |
acls3 |
storage.objects.getstorage.objects.getIamPolicy |
GET |
object |
uploadId |
storage.multipartUploads.listParts |
HEAD |
bucket |
storage.buckets.get |
|
HEAD |
object |
storage.objects.get |
|
POST |
object |
storage.objects.createstorage.objects.delete4 |
|
POST |
object |
uploadId |
storage.multipartUploads.createstorage.objects.createstorage.objects.delete4 |
POST |
object |
uploads |
storage.multipartUploads.createstorage.objects.create |
PUT |
bucket |
storage.buckets.create |
|
PUT |
bucket |
acls3 |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
PUT |
bucket |
Non-ACL metadata | storage.buckets.update |
PUT5 |
object |
storage.objects.createstorage.objects.get2storage.objects.delete4 |
|
PUT |
object |
acls3 |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
PUT |
object |
compose |
storage.objects.createstorage.objects.getstorage.objects.delete4 |
PUT |
object |
uploadId |
storage.multipartUploads.createstorage.objects.create |
1 If you use the x-goog-user-project header or
userProject query string parameter in your request, you must have
serviceusage.services.use permission for the project ID that you specify,
in addition to the normal IAM permissions required to make the
request.
2 This permission is required for the source bucket when the request
includes the x-goog-copy-source header.
3 This subresource does not apply to buckets with uniform bucket-level access enabled.
4 This permission is only required when the inserted object has the same name as an object that already exists in the bucket.
5 No permissions are required to make PUT requests associated with
a resumable upload.
What's next
- For a list of roles and the permissions they contain, see IAM Roles for Cloud Storage.